cc/td/doc/product/software/ios124/124tcg
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table Of Contents

Home Agent Accounting

Overview of HA Accounting

Configuring HA Accounting

HA Accounting Configuration Examples


Home Agent Accounting

This chapter discusses concepts related to accounting on the Cisco Mobile Wireless Home Agent, and provides details about how to configure this feature.

This chapter includes the following sections:

Overview of HA Accounting

Synching Accounting Counters with HA Redundancy Setup

Basic Accounting Messages

System Accounting in HA

Messages Not Sent By Mobile IP Home Agent

Configuring HA Accounting

HA Accounting Configuration Examples

Overview of HA Accounting

This feature is primarily developed to allow the HA to interoperate with the Service Selection Gateway (SSG) in the CMX solution. However, this feature can also be used without SSG interaction.

Release 3.0 supports the following enhancements to the Accounting feature:

Home Agent Accounting in a Redundant Setup

Packet count and Byte count in Accounting Records

Additional Attributes in the Accounting Records

Additional Accounting Methods—Interim Accounting is Supported.

As byte count and packet count is performed on the HA, this accounting feature does not need the SSG in the network to generate full accounting information.

The HA Accounting feature includes the following activities:

The HA sends an Accounting Start record when the first binding for a mobile is created.

The HA sends an Accounting Stop record when the last binding for a mobile is deleted.

The HA sends an Accounting Update when Handoff occurs .

Start-stop, and Interim accounting methods are supported.

When a mobileip registration reply with an error code is sent for an authenticated NAI (if a binding does not exit for the NAI), an accounting stop record is sent.

If Re-registration fails for an existing binding, a watchdog message is sent with an appropriate reject code for an authenticated NAI.

The following attributes are sent in Accounting Records:

NAI in Username attribute (1)

MN IP Address in Framed IP Address attribute (8)

Home Agent IP Address(26/7, 3gpp2 attribute)

Care-of-address in Tunnel End Point (66)

Network Access Server (NAS) IP Address attribute (4)

Accounting Status Type attribute (40)

Accounting Session ID (44)

Accounting Terminate Cause(49) - only in accounting stop

Accounting Delay Time(41)

Acct-Input-Octets (42)

Acct-Output-Octets (43)

Acct-Input-Packets (47)

Acct-Output-Packets (48)

Acct-Input-Gigawords(52)

Acct-Output-Gigawords(53)

Registration flags in "mobileip-mn-flags" cisco-avpair attribute

Vrf name in "mobileip:ip-vrf" cisco-avpair attribute

"mobileip:mn-reject-code" cisco-avpair attribute (only in accounting-stop and accounting update, when an RRQ is rejected.)

Use the following commands to enable the HA accounting features:

ip mobile home-agent accounting method name

Synching Accounting Counters with HA Redundancy Setup

If Home Agent accounting is enabled in a redundant setup along with periodic accounting, accounting counters are periodically synched between the active and standby if the following command is configured:

ip mobile home-agent method redundancy [virtual-network address address] periodic-sync

When you configure the ip mobile home-agent method redundancy periodic-sync command, the byte and packet counts for each binding are synced to the standby unit using an accounting update event, if and only if the byte counts have changed since the last sync. Time-of-the-day accounting is not supported.

Here is an example:

If you configure aaa accounting update periodic 60 and ip mobile home-agent method redundancy update-periodic, and open a binding, the following events occur:

If no data passes through the binding after the binding is opened, the byte counts will not be synced to the standby unit even though the interim accounting records are sent to the AAA server.

Assume that 500 bytes pass through the binding in either direction before the next interim record is sent. In this case, when the interim record is triggered from the active unit, counters are synched to the standby

Now, assume that no more data is pumped through the flow before the next interim interval. Now, when the interim record is triggered from the active unit, nothing is synched to the standby unit, as there is nothing new to report.

At this point, if a switchover happens, the newly active unit will have a count of 500 bytes in/out and 5 packets in/out (assuming 5 packets of 100 bytes each had passed through the binding at step 2) for the binding. After the old active recovers and becomes a standby unit, these counters will be bulk synced to the standby unit.

The Home Agent can notify the RADIUS server of a home agent failover. This is achieved by including the cisco-avpair radius attribute "mobileip-rfswat=1" in RADIUS accounting records. This attribute is included only in the first accounting record of a binding generated after a failover, and if that binding was created before the failover.

For example, when a binding is created, an accounting start is sent for the binding. After a while, the active reloads and the standby takes over. After some time, the standby sends an accounting update to the RADIUS server for the binding. Cisco-avpair radius attribute "mobileip-rfswat=1" is added to this accounting record by the Home Agent.

The command to enable this feature is:

ip mobile home-agent redundancy group virtual-network address HA address swact-notification

Basic Accounting Messages

The Cisco Mobile Wireless Home Agent supports the Cisco Service Selection Gateway (SSG). In this release, the HA sends only three accounting messages without statistics information. The SSG is designed and deployed in such a way that all the network traffic passes through it.

Since all the traffic passes through the SSG, it has all of the statistical information; however, it does not have Mobile IP session information. The Home Agent has the Mobile IP session information, and sends that information to the SSG.

The HA sends the following messages to the SSG/AAA server:

Accounting Start: The HA sends this message to the SSG/AAA server when:

A MN successfully registers for the first time. This indicates the start of new Mobile IP session for a MN.

In case of redundant HA configuration, a stand-by HA will send an Accounting Start message only when it becomes active and it does not have any prior bindings. This allows the SSG to maintain host objects for MNs on failed HA. However, redundancy is not supported in Phase-1.

Accounting Update: The HA generates an Accounting Update message if periodic accounting update message is configured, and when the mobile node changes its point of attachment (POA). For a Mobile IP session, this corresponds to a successful re-registration from a mobile node when it changes its care-of address (CoA). The CoA is the current location of the mobile node on the foreign network. Additionally, the HA sends an accounting update message with correct reject code when re-registration fails for an existing binding.

Accounting Stop: The HA sends an Accounting Stop message when a RRP with error code is sent for an authenticated NAI (except for MobileIP error code 136), due and if binding does not exist for the NAI.

All the messages contain the following information:

Network Access Identifier (NAI): This is the MN's name. It looks similar to abc@service_provider1.com

Network Access Server (NAS) IP: This is the accounting node's IP address. Since the HA is the accounting node, this field carries the HA address.

Framed IP Address: This is the IP address of the MN. Typically the HA will allot an IP address to a MN after successful registration.

Point Of Attachment (POA): This field indicates the point of attachment for the MN on the network. For a mobile IP session, this is the MN's Care-Of-Address (COA).

System Accounting in HA

An accounting-on is sent while a Home Agent is brought into the service (in other words, at the time of initialization after reloading a box), and if there is no active Home Agent at that time.

An accounting-off could be sent when the active Home Agent is taken out of service (graceful or otherwise), and if there is no standby Home Agent to provide the Home Agent service. Note that, accounting-off is not guaranteed.

An accounting-off is not sent when the standby Home Agent is taken out of service (graceful or otherwise).

Messages Not Sent By Mobile IP Home Agent

The following messages are not sent by Mobile IP Home Agent.

Accounting On Message (Acct-Status-Type=Accounting-On) when the HA box comes online or boots up: This message is a global entity for the platform, irrespective of Mobile IP configuration. This message is typically implemented by the platform code during initialization, and not by a service such as Mobile IP.

Accounting Off Message (Acct-Status-Type=Accounting-Off) when the HA box is shutdown: This message is also a global entity for the platform, irrespective of Mobile IP configuration. This message is typically implemented by the platform code during reboot, and not by a service such as Mobile IP.

Configuring HA Accounting

Mobile IP currently uses AAA commands to configure authorization parameters. All of the following commands are required. By default, the HA Accounting feature will be disabled; the HA will not send accounting messages to the AAA server unless configured. To enable the HA Accounting feature, perform the following tasks:

 
Command
Purpose

Step 1 

Router(config)# ip mobile home-agent accounting list

Enables HA accounting, and applies the previously defined accounting method list for Home Agent. list is the AAA Accounting method used to generate HA accounting records.

Step 2 

Router(config)# ip mobile home-agent method redundancy [virtual-network address address] periodic-sync

Syncs the byte and packet counts for each binding to the standby unit using an accounting update event. This sync only occurs if the byte counts have changed since the last sync.

Step 3 

Router(config)# aaa accounting network method list name start-stop group group name

Sends a "start" accounting notice at the beginning of a process, and a "stop" accounting notice at the end of a process. The "start" accounting record is sent in the background. The requested user process begins regardless of whether the "start" accounting notice is received by the accounting server.

Step 4 

Router(config)# aaa accounting update newinfo

Enables an interim accounting record to be sent to the accounting server whenever there is new accounting information to report relating to the user in question.

Step 5 

Router(config)# aaa accounting system default start-stop group radius

Enables the HA to send system messages.

Step 6 

Router# debug aaa accounting

Enables debugging of HA Accounting messages.

Step 7 

Router# debug radius

Router# debug tacacs

Enables debugging of security protocol specific messages.

Step 8 

Router# debug ip mobile

Enable Mobile IP related debug messages. Accounting will print debug messages only in case of errors.

HA Accounting Configuration Examples

The first block of commands are AAA configurations. An accounting method list (mylist) is created for network accounting. Start-Stop keywords imply that HA will send Start and Stop records. For detailed information, see the IOS Security Configuration Guide.

The Second line instructs the HA to send accounting Update records, whenever there is a change in Care-Of-Address (COA).

ip mobile home-agent accounting mylist address 10.3.3.1
ip mobile host 10.3.3.2 3.3.3.5 interface Ethernet2/2
ip mobile secure host 10.3.3.2 spi 1000 key ascii test algorithm md5 mode prefix-suffix
!

These are Mobile IP commands. On the first line, accounting method list mylist is applied on the Home Agent, thus enabling HA Accounting.

!
!
radius-server host 172.16.162.173 auth-port 1645 acct-port 1646
radius-server retransmit 3
radius-server key cisco

!

These are RADIUS commands. The first line specifies the RADIUS server address. Make sure the HA can reach the AAA server and has proper access privileges.

Here is a sample HA Accounting configuration:

ACTIVE HA:

router#
router#show run
Building configuration...
Current configuration : 4927 bytes
!
! Last configuration change at 05:12:03 UTC Thu Oct 13 2005
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco7200
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default local group radius
aaa authorization configuration default group radius
aaa accounting update newinfo periodic 2
aaa accounting network mylist start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa session-id common
!
resource manager
!
no ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp ping packets 0
!
!
ip dhcp-server 99.107.0.13
vpdn-group 1
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
!
!
no virtual-template snmp
!
!
username cisco7200 password 0 cisco
!
interface Loopback1
ip address 11.0.0.1 255.0.0.0
!
interface FastEthernet0/0
description "LINK TO HAAA................!"
ip address 150.2.13.40 255.255.0.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex half
no cdp enable
standby 4 ip 150.2.0.252
standby 4 priority 110
standby 4 preempt delay reload 300
standby 4 name cisco1
!
interface FastEthernet1/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex half
no cdp enable
!
interface FastEthernet2/0
description "LINK TO PDSN................!"
ip address 7.0.0.10 255.0.0.0
no ip route-cache cef
no ip route-cache
duplex half
standby 2 ip 7.0.0.2
standby 2 priority 110
standby 2 preempt delay reload 300
standby 2 name cisco
!
interface FastEthernet3/0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex half
no cdp enable
bridge-group 4
bridge-group 4 spanning-disabled
!
interface Ethernet6/0
description ""LINK TO REFLECTOR...."
ip address 99.107.0.19 255.255.0.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex half
no cdp enable
standby 3 ip 99.107.89.67
standby 3 priority 110
standby 3 preempt delay reload 300
standby 3 name reflector
!
interface Ethernet6/1
description "LINK TO TFTP....."
ip address 1.7.130.10 255.255.0.0
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex half
no cdp enable
!
interface Ethernet6/2
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex half
no cdp enable
!
interface Ethernet6/3
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex half
no cdp enable
!
interface Ethernet6/4
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex half
no cdp enable
!
interface Ethernet6/5
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex half
no cdp enable
!
interface Ethernet6/6
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex half
no cdp enable
!
interface Ethernet6/7
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
shutdown
duplex half
no cdp enable
!
interface Virtual-Template1
no ip address
!
router mobile
!
ip local pool LNS-Pool 8.3.0.1 8.3.0.100
ip local pool ispabc-pool 40.0.0.101 40.0.0.255
ip default-gateway 10.1.2.13
ip classless
ip route 8.0.0.1 255.255.255.255 7.0.0.1
ip route 9.0.0.1 255.255.255.255 7.0.0.1
ip mobile home-agent accounting mylist broadcast
ip mobile home-agent redundancy cisco virtual-network address 7.0.0.2 periodic-sync
ip mobile virtual-network 40.0.0.0 255.0.0.0
ip mobile host nai @ispxyz.com address pool local ispabc-pool virtual-network 40.0.0.0 255.0.0.0 aaa lifetime 250
ip mobile secure home-agent 7.0.0.2 spi 1001 key ascii cisco algorithm md5 mode prefix-suffix
ip mobile secure home-agent 7.0.0.67 spi 1001 key ascii cisco algorithm md5 mode prefix-suffix
!
no ip http server
!
!
ip radius source-interface Loopback1
access-list 120 deny ip 40.0.0.0 0.255.255.255 40.0.0.0 0.255.255.255
access-list 120 permit ip any any
dialer-list 1 protocol ip permit
!
!
radius-server host 150.2.0.2 auth-port 1645 acct-port 1646
radius-server key cisco
radius-server vsa send accounting
radius-server vsa send accounting 3gpp2
radius-server vsa send authentication 3gpp2
!
control-plane
!
dial-peer cor custom
!
!
gatekeeper
shutdown
!
alias exec shb sh ip mob bin
alias exec shr sh ip route
alias exec sht sh ip mob tun
alias exec shh sh ip mob host
alias exec clr clear ip mob bin all
!
line con 0
exec-timeout 0 0
length 0
stopbits 1
line aux 0
exec-timeout 0 0
password 7 0507070D
length 0
stopbits 1
line vty 0 4
password 7 0507070D
!
no scheduler max-task-time
ntp master 1
ntp update-calendar
ntp server 30.1.0.1
!
end
router#

STANDBY HA:

router#
router#show run
Building configuration...
Current configuration : 3995 bytes
!
! No configuration change since last restart
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname cisco7200
!
boot-start-marker
boot system tftp /auto/tftpboot-users/tennis/c7200-h1is-mz.123-3.8.PI2 171.69.1.129
boot-end-marker
!
enable password 7 00445566
!
no spd enable
aaa new-model
!
!
aaa authentication ppp default local group radius
aaa authorization config-commands
aaa authorization ipmobile default group radius
aaa authorization network default local group radius
aaa authorization configuration default group radius
aaa accounting update newinfo periodic 2
aaa accounting network mylist start-stop group radius
aaa accounting system default start-stop group radius
!
!
aaa session-id common
!
resource manager
!
ip subnet-zero
!
!
no ip cef
ip ftp username pdsn-team
ip ftp password 7 pdsneng
ip host PAGENT-SECURITY-V3 32.68.10.4 38.90.0.0
ip name-server 11.69.2.133
no ip dhcp use vrf connected
!
!
vpdn enable
vpdn ip udp ignore checksum
!
vpdn-group 1
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
!
!
no virtual-template snmp
!
username mwt13-7200b password 0 cisco
!
interface Loopback1
ip address 11.0.0.1 255.0.0.0
no ip route-cache
!
interface FastEthernet0/0
ip address 4.0.10.2 255.0.0.0
no ip route-cache
duplex half
no cdp enable
!
interface FastEthernet1/0
no ip address
no ip route-cache
duplex half
no cdp enable
!
interface FastEthernet2/0
description "LINK TO HAAA................!"
ip address 15.2.13.20 255.255.0.0
no ip route-cache
duplex full
no cdp enable
standby 4 ip 15.2.0.252
standby 4 name cisco1
!
interface FastEthernet5/0
description "LINK TO PDSN................!"
ip address 7.0.0.67 255.0.0.0
no ip route-cache
duplex full
standby 2 ip 7.0.0.2
standby 2 name cisco
!
interface Ethernet6/0
description "LINK TO REFLECTOR....!"
ip address 22.107.0.12 255.255.0.0
no ip route-cache
no ip mroute-cache
duplex half
no cdp enable
standby 3 ip 22.107.89.67
standby 3 name reflector
!
interface Ethernet6/1
description "LINK TO TFTP....."
ip address 1.7.130.2 255.255.0.0
no ip route-cache
duplex half
no cdp enable
!
interface Ethernet6/2
no ip address
no ip route-cache
shutdown
duplex half
no cdp enable
!
interface Ethernet6/3
no ip address
no ip route-cache
shutdown
duplex half
no cdp enable
!
router mobile
!
ip local pool LNS-Pool 8.3.0.1 8.3.0.100
ip local pool ispabc-pool 40.0.0.101 40.0.0.255
ip default-gateway 10.1.2.13
ip classless
ip route 8.0.0.1 255.255.255.255 7.0.0.1
ip route 9.0.0.1 255.255.255.255 7.0.0.1
ip mobile home-agent accounting mylist broadcast
ip mobile home-agent redundancy cisco virtual-network address 7.0.0.2 periodic-sync
ip mobile virtual-network 40.0.0.0 255.0.0.0
ip mobile host nai @ispxyz.com address pool local ispabc-pool virtual-network 40.0.0.0 255.0.0.0 aaa lifetime 250
ip mobile secure home-agent 7.0.0.2 spi 1001 key ascii cisco algorithm md5 mode prefix-suffix
ip mobile secure home-agent 7.0.0.10 spi 1001 key ascii cisco algorithm md5 mode prefix-suffix
!
no ip http server
!
!
ip radius source-interface Loopback1
dialer-list 1 protocol ip permit
!
!
radius-server host 150.2.0.2 auth-port 1645 acct-port 1646
radius-server key cisco
radius-server vsa send accounting
radius-server vsa send accounting 3gpp2
radius-server vsa send authentication 3gpp2
!
control-plane

!
gatekeeper
shutdown
!
alias exec shb sh ip mob bin
alias exec shr sh ip route
alias exec sht sh ip mob tun
alias exec shh sh ip mob host
alias exec clr clear ip mob bin all
!
line con 0
exec-timeout 0 0
length 0
stopbits 1
line aux 0
exec-timeout 0 0
length 0
stopbits 1
line vty 0 4
password 7 0507070D
!
no scheduler max-task-time
ntp master 1
ntp update-calendar
ntp server 30.1.0.1
!
end

Verifying HA Accounting Setup

The HA Accounting status can be verified by issuing the show ip mobile global command. The current accounting status is displayed as shown below:

router# sh ip mobile global
IP Mobility global information:
Home Agent
Registration lifetime: 10:00:00 (36000 secs)
Broadcast enabled
Replay protection time: 7 secs
Reverse tunnel enabled
ICMP Unreachable enabled
Strip realm disabled
NAT Traversal disabled
HA Accounting enabled using method list: mylist
NAT UDP Tunneling support enabled
UDP Tunnel Keepalive 110
Forced UDP Tunneling disabled
Standby groups
cisco (virtual network - address 7.0.0.2)
Virtual networks
40.0.0.0 /8
Foreign Agent is not enabled, no care-of address
0 interfaces providing service
Encapsulations supported: IPIP and GRE
Tunnel fast switching enabled, cef switching enabled
Tunnel path MTU discovery aged out after 10 min
Radius Disconnect Capability disabled

router#

hometocprevnextglossaryfeedbacksearchhelp

Posted: Fri Nov 17 00:40:58 PST 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.